{"id":2935,"date":"2017-04-11T10:29:45","date_gmt":"2017-04-11T08:29:45","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=2935"},"modified":"2017-04-11T10:29:45","modified_gmt":"2017-04-11T08:29:45","slug":"insomnihack-2017-2","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/insomnihack-2017-2\/","title":{"rendered":"INSOMNI'HACK 2017"},"content":{"rendered":"

This year again, Intrinsec was present this past Friday, March 24th, for the 10th edition of the Insomni'hack conference organized by SCRT.<\/p>\n

Several presentations were held in 3 different rooms and the corresponding schedule was as follows:\"\"<\/p>\n

Bridging the gap between ICS (IoT?) and corporate IT security<\/h1>\n

\"\"
\nStefan L\u00fcders, CISO of the European Organization for Nuclear Research (CERN), presented us with these problems encountered in defending the CERN ecosystem.<\/p>\n

In such a heterogeneous system, the BYOD issue becomes particularly relevant. Beyond the complexity of implementing update patches, conducting security tests is even more challenging on sensitive systems like those monitoring nuclear reactors, where any disruption is unacceptable.<\/p>\n

While we wait for the official video, an earlier version of this presentation is available here:
\nhttps:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf<\/a><\/p>\n

DevOops Redux<\/h1>\n

This conference was presented by Ken Johnson (@cktricky<\/a>) and Chris Gates (@Carnal0wnage<\/a>), focused on the importance of security for developers' machines and the various tools that are often poorly understood. According to Ken, a development machine is generally a goldmine for an attacker since it contains API keys, passwords for accessing sensitive services, and possibly SSH keys for authentication to pre-production or production servers.<\/p>\n

The primary goal of this presentation was to raise awareness among the audience about three areas: developer awareness, protection of development servers, and deployment management services. Chris and Ken therefore presented several tools, such as Slack auditor<\/a>, gitrob<\/a>, TruffleHog <\/a>or GitMonitor<\/a>, allowing the exploitation of the human factor (forgetting configuration files) and the recovery of this type of sensitive information.
\nRegarding the protection of development servers, various tools were mentioned, such as\u2019Osquery<\/a>\u00a0allowing you to query its operating system, Doorman <\/a>or BlockBlock<\/a>, configured to warn when software wants to persist on the system and request confirmation from the user. SIEM-type solutions were then presented: ELK, StreamAlert <\/a>or Splunk.<\/p>\n

Finally, for the last part of the presentation, Ken and Chris focused on the tools used by the integration chain, presenting configuration flaws often encountered with Jenkins, Redis, Docker or AWS services.<\/p>\n

The presentation slides are available on SlideShare at the following address:
\nhttps:\/\/www.slideshare.net\/chrisgates\/devoops-attacks-and-defenses-for-devops-toolchains<\/a><\/p>\n

Modern recognition phase on APT \u2013 protection layer<\/h1>\n

Paul Rascagn\u00e8res presented five case studies of the reconnaissance phase carried out by "modern" attackers before infecting the target. In all cases, the attack vector was an Office document containing a malicious macro. Analysis of the various techniques used by the attackers revealed a generic process broken down into four steps:<\/p>\n